Making Data Security The Foundation Of Your Virtualization Infrastructure

Transcription

1 Making Data Security The Foundation Of Your Virtualization Infrastructure by Dave Shackleford hytrust.com Cloud Under Control P: P:

2 Securing data has never been an easy task. Its challenges include properly classifying data according to value and risk, applying appropriate security policies in response to those risks, controlling enterprise-wide encryption, and managing myriad system and data-access controls. Now, with virtualization and a more dynamic infrastructure, enterprises have an even greater challenge in protecting their data. The good news is that your data can be well guarded in virtualized environments as long as your security teams understand the new ways that virtual machine (VM) elements and data can be exposed and the security technologies available to help solve those problems. This paper explores these topics. Virtualization Complexity and Risk In June 2011, the Payment Card Industry (PCI) Standards Council released a long-awaited information supplement to the latest Data Security Standard (DSS) titled PCI DSS Virtualization Guidelines. This document, collaboratively produced by a group of security and compliance professionals, provides guidance on how your security and compliance teams, particularly PCI assessors, should evaluate virtual infrastructure that falls within the scope of payment card compliance requirements. Two key sections of the document stand out one details virtualization risks, and the other addresses control recommendations. Both are generally relevant to the goal of data protection in virtual environments whether or not your servers have any requirement to meet PCI guidelines. Several of the risks include: Increased complexity of virtualized systems and networks: The addition of new technology layers, such as virtual networking and appliances and the hypervisor itself, creates potential misconfiguration issues. These, coupled with virtualization vulnerabilities, can lead to significant risk potential. Mixing VMs of different trust levels: The guidance implies that mixing different data classification levels on a single hypervisor could lead to data loss or exposure (which also logically applies to the storage of VM images). Lack of separation of duties: Lack of proper role definition and privilege assignment could lead to privileged access granted widely and for far more than just the virtualization management console. Page 1

3 Dormant VMs: VMs that are not active (dormant or no longer used) could still house sensitive data such as authentication credentials, encryption keys, or critical configuration information. Vulnerability of VM images and snapshots: if images aren t secured and protected from modification, an attacker may gain access and insert vulnerabilities or malicious code into the image. The compromised image could then be deployed throughout the environment, resulting in a rapid compromise of multiple hosts. Vulnerabilities in the physical environment apply in a virtual environment: Physical threats also apply to virtual implementations; the most securely configured, well-contained logical partitions will still need adequate physical controls for protection of the hardware. The PCI Council recommends the following control measures that apply specifically to data protection: Evaluate risks associated with virtual technologies: Assess all virtualization components and processes for risk just like any other technology. Restrict physical access: Ensure physical access to VMs and virtualization platforms is restricted and carefully monitored. Implement defense in depth: Security controls should be considered and potentially applied at all layers of technology implementation, including physical systems, hypervisor software, host OS, VM platforms, applications, and storage. Enforce least privilege and separation of duties. As a best practice, restrict administrative access by specific VM function, virtual network, hypervisor, hardware, application, and data store. Harden VMs and other components: Hardening and lockdown should include virtual network interfaces and storage areas, and the integrity of any cryptographic key-management operations should be verified. Earlier versions of the PCI standard addressed the need for encryption of credit card and other sensitive data. With virtualization, sensitive information can be exposed in new ways even if encryption is deployed within the VM. The release of the new PCI Council guidelines demonstrates how critical and widespread virtualization has become and how important it is to evaluate data security risks in these environments to meet both security best practices and compliance mandates. Page 2

4 The flexibility and mobility benefits of virtualization bring a greater need to expand your thinking about data protection to extend protections throughout the data lifecycle. The Data Lifecycle Securing devices where a VM resides for the moment is not enough. It is important to look at the complete life-cycle of the VM and its data and secure that data wherever it goes: in the private data center, in backups, on remote systems, and increasingly, as VMs are moved into the public cloud. The first key to developing a sound data protection plan is to understand the data lifecycle. Figure 1 shows a widely used model developed by KPMG. Compliance Figure 1. The Data Lifecycle Phase 1 Phase 2 Phase 3 Phase 4 Phase 5 Phase 6 Phase 7 Gerneration Use Transfer Transformation Storage Archival Destruction The first four phases, from generation through transformation, rely on security through proper data classification and application-specific controls. However, in a virtual environment, there are a number of access control and administration tasks that should be in place to create the framework for an enhanced data protection focus. Page 3

5 VM Storage Security The fifth phase of the data lifecycle is storage. For VMs, quite a few types of files need to be protected to adequately protect sensitive data. Figure 2 shows an example of these files (for VMware). Virtual Disk (Data) Virtual Disk (Data) Data Virtual Disk (Data) Virtual Disk (Data) Virtual Disk (Guest OS) Virtual Disk (Apps.) Executables Suspend File Config. Files Virtual Machine state & environment Snapshot File Paging File Log Files VM Meta Data VM memory image Critical VM configuration Forensics information There are many files associated with a single VM, from the virtual disk files (.vmdk) to the main configuration file (.vmx). The VMDK disk files are a primary location for sensitive data to be stored, so all VMDK files should be protected and monitored for illicit access or theft. In addition, there are a number of other file types that could potentially store sensitive data, and should be protected as well: VSWP: The VSWP file is your VM s swap or paging file. Each VM running on a hypervisor server gets its own swap file, which is created when the VM is powered on. The purpose of the swap file is to store memory pages when the VM s designated RAM is overcommitted. VMSS: VMSS files store memory data about a VM that has been temporarily suspended. Page 4

6 VMSN and VMSD: VMs can have data snapshots taken from which they can be restored later. The VMSN and VMSD files contain metadata about the VM and will be created once snapshots are taken. *-delta.vmdk: The DELTA file contains all changes to the VM disk once a snapshot is taken. This file will disappear once a snapshot is actually applied. Securing the data at rest also involves preventing physical theft of the VM files. The theft of a virtualized server no longer requires an attacker s physical presence. Gaining access to file shares, storage devices, or even administrator workstations can lead to theft of whole VMs. For this reason, security teams must be extremely diligent about monitoring activity around virtual infrastructure, including remote access and the use of USB-based storage devices. Sensitive data can be exposed in new ways in a virtualized world. As VMs become more mobile, the VM leaves an information footprint wherever it runs. Another critical data type to consider for VMs is the set of template files that represents master deployment images in your virtual environment. For organizations running VMware vsphere, these templates can consist of two specific files: VMTX: VM configuration templates (correspond to VMX files) VMTD: The VM disk configuration templates (correspond to VMDK files, older format for VM ware that may not be in use on newer platforms) Wherever these template files are stored, employ file integrity monitoring and logging to ensure that unauthorized tampering does not occur. If an attacker or malicious insider compromises the template file, unwanted changes could be replicated across a wide number of systems, causing unusual behavior, data exposure, or even denial-of-service conditions. Page 5

7 Archival and Destruction: Backup and VM Decommissioning There is a good chance that sensitive data could be present in VM disk or memory-related files, and some of these may be left behind inadvertently if you don t take proper precautions. Data archival and destruction are the last stages of the data lifecycle. For virtual environments, archival means backing up entire VMs and data accessed and stored for use in virtual environments; destruction could mean decommissioning VMs and their associated data. How can VMs stored in their entirety on backup tapes or other media be safely stored? The backup media must be encrypted. VM Data Protection with Encryption The right encryption solution can serve as the foundation for securing VMs and data. The solution should encrypt and protect data on behalf of the VM, and it should also encrypt and protect the VM image on behalf of the hypervisor. Implementing and managing an encryption solution can be unwieldy and difficult, and ongoing mainte nance requires manual processes or complex architecture changes. Ideally, encryption tools would encapsulate the entire VM, including all memory and swap files, snapshot files, and any files that contain sensitive data. Alternately, encrypting specific areas of the VM known to contain sensitive data may be more efficient. In addition to strong algorithms, an encryption solution needs to offer key management and rotation capabilities, and should be as easy to deploy and maintain as possible. Use encryption for VMs at rest and when generating secure VM backup images. Page 6

8 VM Data Access Control and Monitoring When it comes to crypto key management, the first security principle to enact for virtualized infrastructure is the separation of administrative duties. In many organizations, existing Windows or other systems administrators manage virtualization. Although this may be convenient, there are numerous aspects of proper management and administration of a virtualization environment that should be the responsibility of specific administration teams. Most virtualization platforms allow for reasonably granular role creation and privilege allocation. For example, Figure 3 shows the default VMware vsphere roles available in the vcenter management platform. Many administration teams use the built-in Administrator role and assign most users to roles that allow access to VMs for specific use cases. Many privileges can be assigned, including explicit access to defined data stores, which can help to control data leakage or unauthorized access to data that is stored in VMs. Figure 4 shows some example privileges in vcenter. Page 7

9 Ensuring that user roles and data access privileges are appropriate for the organization is critical. Unfortunately, native virtualization platforms do not facilitate this, and the creation of proper roles might take significant effort. Access to VMs should be carefully controlled through the assignment of roles and privileges for access and interaction and monitoring and auditing the storage infrastructure where VMs are located. How you control and monitor will depend on the type of storage you have and the monitoring capabilities of tools like log management and Security Information and Event Management (SIEM) platforms. Paying attention to the following types of user activities is prudent: Which users are accessing VM files? Where are the users located? What type of access is employed (vcenter or other management console access to remote fileshare access using domain credentials)? When the VM access and/or VM-related actions took place? Page 8

10 Conclusion Proper data protection capabilities are vital to a virtual infrastructure hosting sensitive data of any kind, especially if VMs are widely deployed or moving to hybrid and public cloud environments. The recognition of the need for virtualization security through industry and government regulations and from the information security community in general means that security at each stage of the data lifecycle will need to be addressed by solutions that have traditionally been implemented only in physical data center environments. To adequately protect data in VMs throughout their data lifecycle, separation of duties and role-based management are essential, and the existing virtualization vendors do not make it simple or granular to create and assign roles to different groups of users and IT teams. In addition, strong encryption is needed to encrypt full or partial VMs at rest, in backups, and in motion, and simple assignment of policy and key management will speed adoption of this fundamental security control. About the Author Dave Shackleford is currently the Senior VP, Research and CTO at IANS. Previously he was the Founder and Principal Consultant at Voodoo Security; Director, Risk & Compliance and Director, Security Assessments at Sword & Shield Enterprise Security, Inc.; Chief Security Strategist, EMC Ionix at EMC; and Chief Security Officer at Configuresoft; He is a SANS Instructor and teaches virtualization and cloud security to hundreds of companies every year. Page 9